[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh connection takes long time

Boyd Stephen Smith Jr. wrote:
> In general, you should make sure reverse DNS works for all your IPs.

randall <randall@songshu.org> wrote:
> i doubt that this is a sensible default, if i'm wrong please let me
> know ;)

All systems should have an rDNS record to map the number back to a
name. Ideally, that canonical name should also have a mapping back to
the number.

In the case of dynamic IP ranges, the rDNS record might map back to an
entry that mimicks the IP address itself, but tagged on to the end of
that is the organisation responsible for that IP address. For example, might map to 13-12-11-10.dynamic.someisp.net, and it's
easy to see that "someisp.net" is in some way responsible for that IP
address. (I know you can determine IP address ranges via ARIN/RIPE/APNIC,
etc. but that is /much/ more heavyweight.)

If you don't have any rDNS entry at all, OpenSSH (amongst other subsystems
and applications) will hang until the resolver times out.

IMO the solution is not to tweak those subsystems and applications,
but to get a valid rDNS record added to the DNS.

> besides how would you do this with a dynamic IP, we are talking clients 
> here and you never know what ISP you might use when traveling around.

Your client is irrelevant in this scenario. The ISP should provide rDNS
entries that map its own address space.

> also i see very little function to this, besides some extra unneeded 
> info in the log i don't see any added security in this feature.

Added secuity? Probably not a lot in this case. Convenience when trying
to work out who's thumping your box again? Possibly.


Reply to: